700 Million Records Found on Server Powering Onliner Spambot

A Paris-based malware researcher known as Benkow has discovered more than 700 million records used by the Onliner spambot on a misconfigured server. The records comprise a large number of email addresses, passwords and SMTP configurations. Researcher Troy Hunt has subsequently added the lists to his Have I Been Pwned (HIBP) website and service.

The IP address of the misconfigured server has been traced to the Netherlands. "Benkow and I," wrote Hunt in a blog post yesterday, "have been in touch with a trusted source there who's communicating with law enforcement in an attempt to get it shut down ASAP." However, since the database was exposed on the internet, it has possibly been accessed and downloaded by other actors.

"It is naive to think that this was not also accessed by other criminal or spammer groups, as this information is of paramount value to those kinds of groups," comments John Bambenek, threat intelligence manager at Fidelis Cybersecurity. He added, "Sometimes humans make mistakes which is why it is essential to build datasets and monitoring to track their activity over the long term. These kind of mistakes are what help us get these hackers arrested so they can become guests of the local Western government’s prison system."

Although the spambot contains a huge number of potential targets, in his own blog post, Benkow describes it being used in a targeted manner. "This spambot is used since at least 2016 to spread a banking trojan called Ursnif. I have seen this spambot targeting specific countries like Italy, or specific business like Hotels."

He suggests that one reason for the targeted approach lies in the improving spam detection and prevention technologies developed and deployed over the last few years: open relays for spam distribution are largely blacklisted. Instead, spammers first compromise a large number of websites (Benkow suggests ten to twenty thousand) which are used to host a PHP script that sends out the emails. Given the "almost infinite number of out-of-date websites on the Internet," says, "it's difficult to blacklist every websites and it's really easy to use them for the spammer."

The email target lists used for malware campaigns are not random, but methodically built. The spammer uses the spambot to send out apparently harmless emails. Benkow gives this example:

However, the email contains a single pixel, invisible gif used to fingerprint the recipient device. Benkow explains, "When you open this random spam, a request with your IP and your User-Agent will be sent to the server that hosts the gif. With these information, the spammer is able to know when you have opened the email, from where and on which device (iPhone ? Outlook?...). At the same time, the request also allows the attacker to know that the email is valid and people actually open spams :)."

Using this information, the spammer is able to classify targets. In this way, the actual malware-delivering spam can be limited and targeted to prevent the campaign attracting the attention of law enforcement. For example, wasted spam trying to deliver Windows malware to iPhone devices can be avoided.

Benkow believes that researchers should spend more time analyzing spammers and spambots. "In a successful cybercrime campaign there are different parts, the final payload is important but the spam process is very critical too," he writes. "Some malware campaigns like Locky are successful also because the spamming process works well."

Meanwhile, Troy Hunt has performed some analysis on the spambot data. To put the size in perspective, he notes that the database contains almost as many records as the entire population of Europe -- a total of 711 records. It comprises "masses and masses of email addresses" (for spam targets); and email/password combinations (used in the attempt to abuse the owners' SMTP servers to deliver the spam).

Not all the data is immediately usable: "There's also some pretty poorly parsed data in there which I suspect may have been scraped off the web," writes Hunt. "For example, Employe[email protected]bowelcanceruk.org.uk appears twice."

One of the files contains 1.2 million rows that seem to be emails and passwords from a LinkedIn breach. The passwords are in plaintext. "All those passwords [in the LinkedIn breach] were exposed as SHA1 hashes (no salt)," he notes, "so it's quite possible these are just a small sample of the 164m addresses that were in there and had readily crackable passwords."

He also notes that a similar file contains 4.2 million email address and password pairs that almost certainly comes from the massive Exploit.In combo list. "This should give you an appreciation of how our data is redistributed over and over again once it's out there in the public domain," he comments.

Another file contains 3,000 records with email, password, SMTP server and port. "This immediately illustrates the value of the data," he adds: "thousands of valid SMTP accounts give the spammer a nice range of mail servers to send their messages from. There are many files like this too; another one contained 142k email addresses, passwords, SMTP servers and ports."

The unfortunate reality for all of us, he says, is that "email addresses are a simple commodity that's shared and traded with reckless abandon, used by unscrupulous parties to bombard us with everything from Viagra offers to promises of Nigerian prince wealth. That, unfortunately, is life on the web today."

That's just the traditional spam side. Benkow has been tracking Onliner delivery of malware, and particularly Ursnif. It is thought that some 100,000 computers have been infected across the world.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.